This topic describes how to set the authentication mode of HiveServer2 to Lightweight Directory Access Protocol (LDAP).

Question

How do I set the authentication mode of HiveServer2 to LDAP?

Answer

In an E-MapReduce cluster, HiveServer2 supports multiple authentication modes, including NOSASL, None, LDAP, Kerberos, PAM, and Custom. You can set the hive.server2.authentication parameter to specify the authentication mode.

  1. Log on to the Alibaba Cloud E-MapReduce console.
  2. Set the authentication mode of HiveServer2 to LDAP and restart HiveServer2.
    1. On the Cluster Management page, click the ID of the E-MapReduce cluster for which you want to set the authentication mode of HiveServer2. In the left-side navigation pane, click Hive. Click the Configure tab and then click hiveserver2-site in the Service Configuration section.
    2. Click Custom Configuration to add parameters.
      To set the authentication mode of HiveServer2 to LDAP, you must add the three parameters listed in the following table.
      Parameter Value Description
      hive.server2.authentication LDAP The authentication mode.
      hive.server2.authentication.ldap.url Format: ldap://${emr-header-1-hostname}:10389 Replace ${emr-header-1-hostname} with the actual hostname. You can use SSH to log on to the E-MapReduce cluster and run the hostname command on the emr-header-1 instance of the cluster to obtain the hostname. For more information, see Connect to a cluster using SSH.
      hive.server2.authentication.ldap.baseDN ou=people,o=emr N/A
    3. After the parameters are added, click Save in the upper-right corner.
    4. In the dialog box that appears, enter the change description and click OK. A message appears, indicating that the parameters are added.
    5. In the upper-right corner, choose Operation > Restart HiveServer2.
  3. Add an account to the LDAP service.

    In an E-MapReduce cluster, OpenLDAP is an LDAP service, which is used to manage Knox accounts by default. HiveServer2 can reuse the Knox accounts for LDAP authentication. For more information about how to add an account, see Knox. In this example, add the emr-test account.

  4. Check whether you can use the new account to log on to HiveServer2.

    Use /usr/lib/hive-current/bin/beeline to log on to HiveServer2 as follows:

    beeline> ! connect jdbc:hive2://emr-header-1:10000/
    Enter username for jdbc:hive2://emr-header-1:10000/: emr-guest
    Enter password for jdbc:hive2://emr-header-1:10000/: emr-guest-pwd
    Transaction isolation: TRANSACTION_REPEATABLE_READ
    If the account or password is incorrect, the following error message appears:
    Error: Could not open client transport with JDBC Uri: jdbc:hive2://emr-header-1:10000/: Peer indicated failure: Error validating the login (state=08S01,code=0)